In a burst of wikipanic, Bank of America has dived into full-on counterespionage mode…15 to 20 bank officials, along with consulting firm Booz Allen Hamilton, will be “scouring thousands of documents in the event that they become public, reviewing every case where a computer has gone missing and hunting for any sign that its systems might have been compromised.”

Interesting that they needed Booz and Hamilton. I thought Bank of America was a Vontu DLP (now Symantec) customer. It says something about the technology either not working, being discarded or simply not implemented properly because the Wikileaks announcement was made in October 2009. So it took BoA over a year to respond. Good luck finding forensics over a year after the leak happened.

This is a good thing for information security consultants and solution providers, especially if it drives companies to invest in DLP. There are some good technologies out there and companies that implement DLP thoughtfully (even if for dubious reasons) will be profiting from the improved visibility into transactions on their network and better protection of IP and customer data.

Ethics of the bank executive aside, it is conceivable (albeit totally speculative), that the Obama administration is behind the Wikileaks disclosures on US banking. It is consistent with the Obama policy that required banks to accept TARP funds and stress testing in order to make the financial institutions more beholden to the Federal government. This is consistent with the State Department cables leak, which also appears (from my vantage point in the Middle East) to be deliberately disclosed to Wikileaks in order further the agenda against the Iranians without coming out and saying so specifically.

As one of the pioneers in the DLP space (data loss prevention) and an active data security consultant in the field since 2003 – I am not surprised when civilians like the authors of the article and the current US administration claim discovery of America, once they discover that the emperor is naked. Of course there is an insider threat and of course it is immune to anti-virus and firewalls and of course the US Federal government is way behind the curve on data security – installing host based security which was state of the art 7 years ago.

My Dad, who worked in the US and Israeli Defense industry for over 50 years is a PhD in systems science. He asked me how it happened that Wikileaks was able to hack into the US State Department cables. I explained that this was not an external attack but a trusted insider leaking information because of a bribe or anger at Obama or Clinton or a combination of the 4 factors. My Dad just couldn’t get it. I said look – you know that there is a sense of entitlement with people who are 20-30 something, that permits them to cross almost any line. My Dad couldn’t get that either and I doubt that the US Federal bureaucrats are in a better place of understanding the problem.

Data leakage by trusted insiders is a complex phenomenon and without doubt, soft data security countermeasures like accepted usage policies have their place alongside hard core content interception technologies like Data loss prevention. As Andy Grove once said – “a little fear in the workplace is not a bad thing”. The set of data security countermeasures adopted and implemented must be a good fit to the organization culture, operation and network topology.

BUT, most of all – and this is of supreme importance – it is crucial for the head of the management pyramid to be personally committed by example and leadership to data protection.

The second key success factor is measuring the damage in financial terms. It can be argued that the Wikileaks disclosures via a trusted insider did little substantive damage to the US government and it’s allies and opponents alike. If anything – there is ample evidence that the disclosure has helped to clear the air of some of the urban legends surrounding US foreign policy – like the Israelis and the Palestinians being key to Middle East peace when in fact it is clear beyond doubt that the Iranians and Saudi financing are the key threats that need to be mitigated, not a handful of Israelis building homes in Judea and Samaria.

As an afternote to my comments on the SCIAM article, consider that after the discovery of America, almost 300 years went by before Jefferson and the founding fathers wrote the Declaration of Independence. I would therefore expect that in the compressed 10:1 time of Internet years, it will be 30 years before organizations like the US government get their hands around the trusted insider threat.

It’s one of those things that European-based information security consultants must ask themselves at times – why isn’t my phone ringing off the hook for DLP solutions if the European Data protection directives are so clear on the requirement to protect privacy?

If Mcafee is jumping into this area – then it might explain some of the synergy with the Intel acquisition – two years ago, Intel went public with products aimed at driving medical monitoring into the home – see Intel launches medical device for home patient monitoring. Home monitoring (the Intel Health Guide is a 10.5″ tablet) “is a big area of focus and a growth opportunity for Intel” according to Mariah Scott, director of sales and marketing for Intel’s Digital Health Group.

Enhance device security
Protect embedded devices against existing and unknown zero-day threats via malware (such as worms, viruses, Trojans and buffer-overflow threats, etc.). Because many embedded devices such as ATMs and kiosks have a large attack area, they face increased security vulnerabilities. McAfee Embedded Security ensures that the device—when in production and in the field—is secure and cannot be compromised.

The Mcafee product is clearly aimed at embedded Windows devices – which are unfortunately over 1/2 of embedded medical devices since a good many software developers come from IT backgrounds and don’t have the cojones to deal with Linux let alone embedded Linux on small footprint hardware. Some of the collateral makes a lot of sense while other parts seem like typical security vendor marcom – like the part about assuring HIPAA compliance with tamper free logs. When you have a hammer, everything looks like a nail as I noted in my post last year on the true cost of HIPAA privacy violations

The product feels like a commercialization of a project that their professional services group did for a particular customer. The discussion about supporting integration of multi vendor channels sort of smells like an Intel aphorism and while it might serve Intel, multi-vendor channel integration may be the exception rather than the rule in the medical device space, since most medical device vendors are small specialized business units or startups intent on preserving their own IP.

Are we in the same valley of death that held content management applications in the 90s? Where companies spent 6-7 figures on content management from companies like Vignette and over 50% of the projects never got off the ground?

In my experience – when it comes to data security, data loss prevention, DLP projects – the top 2 responses to data security threats are “accept the risk” followed by “cancel the project” in a close second place.

The other alternatives are almost all non-starters. The question is – why?

Eliminating risk by changing the business process is often not an option or too much trouble for employees. For example – consider the process of transferring documents to external contractors – even though it’s trivial to encrypt documents inside a Zip file and share the password – most companies don’t make it part of their security procedure and those that do require encryption of documents sent to external business partners, don’t deploy DLP monitoring to ensure compliance with the encryption policy.

There are multiple reasons for data security risk being accepted by business managers. Most are related to cost, complexity, changing business requirements and a tacit disbelief in effectiveness of technology in preventing data theft and fraud.

The reasons for accepting data security risk are related to the difference between being secure and feeling secure. Since most companies don’t monitor data flows, they don’t know how many sensitive digital assets are being leaked to the competition – ergo they don’t have the empirical data to analyze their data security threats and measure data security risks in terms of dollar threat to the business. This would lead to enable a business to deploy data security countermeasures and be secure at an acceptable cost. It would also enable them to measure the cost effectiveness of their data security technology and challenge their innate beliefs and skepticism.

However – the company management already feel secure because they have delegated that part of the business to the information security folks and reading the papers tells them that customers (not the business management) pay the cost of a data security breach.

As a kid growing up in South Jersey – when there was the occasional report of an urban boondoggle or million dollar NASA toilets – my Dad (who worked for RCA on defense projects and knew about these things) would always use the expression – “Other peoples money” or if it was closer to home – “Pa’s rich and Ma don’t care”…which is really close to home this year for Americans as President Obama takes the US to an unprecedented $1.35 trillion budget deficit in 2010.

One of the famous canons in the Jewish Passover “seder” ritual is 4 questions from 4 sons – the son who is wise, the son who is wicked, the son who is innocent and the son who doesn’t know enough to ask.

I sometimes have this feeling of Deja vu when considering data security technology solutions. Although the analogy is not at all parallel – I have written a list of 4 questions to be asked when considering a DLP solution – these questions require clear, authoritative answers just like in the Passover seder (להבדיל).

What is the key threat scenario?

How much Value at Risk is on the table?

Who owns the project?

Does the DLP technology fit the threat scenario?

1 – What is the key threat scenario?

Here are some typical threat scenarios – the key threat scenario should keep a C-level executive awake at night.

2 – What is your value at risk?

Once you have identified the key threat scenario, you must know how much value at risk is generated when a threat exploits vulnerabilities to cause damage to assets. The basis for measuring VaR (value at risk) is the asset value (generally determined by the CFO) –

The VaR is reduced by a set of security countermeasures that also have a cost. VaR is best calculated in a data security based risk assessment that uses DLP technology to measure frequencies of threat occurrence and a calculative threat model to derive VaR.

Most companies are not at a sufficient level of security maturity to do this exercise themselves – and will need an independent consultant with specific data security expertise and the ability to do analytical threat modeling.

Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective DLP countermeasures.

3 – Who owns the project?

Beware of organizational politics and silos and conflicting agendas. Need I say more?

4 – Does the DLP technology fit the threat scenario?

Just because the vendor sold you an anti-virus product doesn’t mean that his DLP technology is a good fit (even if it’s free)

Example A: A network DLP solution may be required with 1GB throughput, if the technology saturates at 200MB/S then the solution is not a good fit.

Example B: An agent DLP solution may be required that is capable of identifying IP in AutoCAD files; if the content analysis software is incapable of decoding AutoCAD, then the countermeasure does not mitigate the vulnerability.

I believe that there are 3 root causes for why many organizations worldwide do not take a leadership position in enterprise information protection.

Preventing information security events is an admission of weakness. Who wants to spend money on something when the first step is admitting that you’re vulnerable and that your existing security systems, policies and procedures do not meet business requirements?

We live in an age of instant gratification. Need music -go to Deezer. Need security – get a UTM from Checkpoint. Click on a set of canned DLP policies for PCI DSS 1.2 compliance – never mind that you design and manufacture motorcycles.

The need to walk on the safe side, not on the wild side. Who wants to spend 6-7 figures on an EIP (enterprise information protection) system that requires data discovery from someone who isn’t your accountant, a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buy in from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?
Especially after the CEO has sworn off Enterprise software for Lent.

What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world. The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health. In a successful business unit – people are happy, and happy people contribute to the success of the business. Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.

The Book of Balance and Harmony

(Chung-ho chi).A medieval Taoist book

Will security vendors, large to small (Symantec, Mcafee, nexTier, ANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?

I don’t think so.

Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:

Human error – cc’ing a supplier by mistake on a classified RFP document

System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on

Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)

Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition

After 5 years of hype, most customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:

If there is no clear business need for information protection (the kind that a CEO can enunciate in a sentence) – the company is not going to buy DLP technology.

The business need for data security derives directly from the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.

To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY

TYPICAL DATA SECURITY DRIVERS

DECISION – MAKERS

BANKING

A real event, such as theft of confidential customer account information by trusted insiders

Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA

The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events

CSO or CIO

CREDIT CARD ISSUERS

Ongoing theft of customer transactional information by customer service reps

Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders

TELECOM/ONLINE BUSINESS(Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)

Prepaid code files

Pricing data

Strategic marketing plans

Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect)

Customer credit card records

VP of internal audit, VP of technologies

HEALTH CARE

Privacy regulations/HIPAA

Need to protect pricing data of drugs and supplies purchased by the health care organization